PHI stays yours. We custody it carefully.

Business Associate Agreement

withinLabs signs a BAA with every practice before they import patient data. Available on day one.

PHI handling policy

Protected health information is processed only as needed to provide the service. PHI is never used to train AI models.

Patient rights

withinEHR supports right-of-access, amendment, and accounting of disclosures as required by HIPAA.

In transit

TLS 1.3 on all connections. No unencrypted transport of PHI.

At rest

AES-256 encryption on all stored data, including database volumes and backups.

Key management

Encryption keys are managed separately from encrypted data. Keys are rotated on a defined schedule.

Role-based permissions

Clinicians, admins, and billing staff each have scoped access. Permissions are set at the practice level.

Audit logging

Every read, write, and delete on PHI is logged with user ID, timestamp, and action. Logs are immutable.

Multi-factor authentication

MFA is required for all withinEHR accounts. SSO available for enterprise practices.

Hosting

United States-based infrastructure on Cloudflare and AWS. PHI does not leave US borders.

Backups

Daily automated backups with tested restoration procedures.

Uptime

99.9% uptime target. Incident status at status.withinlabs.io. [PLACEHOLDER: link once status page is live]

Vulnerability management

Dependency scanning on every build. High and critical CVEs are patched within 72 hours.

Defined playbook

withinLabs maintains a written incident response plan covering detection, containment, eradication, recovery, and communication.

Breach notification

In the event of a breach involving PHI, withinLabs notifies affected practices within 60 days as required by HIPAA.

Security contact

Report security concerns to security@withinlabs.io. We respond within one business day.